Purpose of our policy
- MT Business Solutions Ltd (Company number 10708395) (MTBS, we, us or our) provides the products and services offered on the MTBS website and/or mobile application www.mtbs.co (Platform)
- For the purposes of the Data Protection Act 2018 and General Data Protection (Regulation) GDPR, that came into effect on the 25th of May 2018, we are the data controller.
- We have adopted this policy to ensure that we have standards in place to protect the data that we collect about you that is necessary and incidental to:
- providing the products and services that we offer; and
- the normal day-to-day operations of our business.
- By publishing this policy, we aim to make it easy for our users, customers and the public to understand what data we collect and store, why we do so, how we receive and/or obtain that information, and the rights you have with respect to your data in our possession.
- Please note that our financial services partner, PFS, is a separate Data Controller. You can see details about how PFS uses and protects your personal data at the bottom of this page.
WHO AND WHAT THIS POLICY APPLIES TO
- We handle data in our own right and for and on behalf of our customers and users.
- Our policy does not apply to information we collect about businesses or companies; however, it does apply to information about the people in those businesses or companies which we store.
- The policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy.
- If, at any time, you provide data or other information about someone other than yourself, you warrant that you have that person’s consent to provide such information for the purpose specified.
- MTBS products are not available to children (persons under the age of 18 years).
THE INFORMATION WE COLLECT
- It is necessary for us to collect data in the normal course of business. This information allows us to identify who you are for the purposes of our business, share data when asked of us, contact you in the ordinary course of business and transact with you. Without limitation, the type of information we may collect is:
- Personal Information. We may collect personal details such as your name, location, date of birth, photograph, passport, driver’s license and other information that allows us to identify who you are;
- Contact Information. We may collect information such as your email address, mobile and/or landline telephone number, third-party usernames, residential and business address, and other information that allows us to contact you
- Financial Information. We may collect financial information related to you about payments you make and receive, such as the date, amount, currency and the details of the payee or payer, and other information that allows us to transact with you and/or provide you with our services;
- Statistical Information. We may collect information about your online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes;
- Device Information. We collect device-specific information, such as the hardware model, operating system version, advertising identifier, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information (including the mobile phone number); and
- Information you send us. We may collect any personal correspondence that you send us, or that is sent to us by others (such as credit reference or fraud prevention agencies) about your activities, including activities with our third-party partners.
- We may collect other data about you, which we will maintain in accordance with this policy.
- We may also collect anonymous non-data about you such as information regarding your computer, network and browser (including an IP address).
HOW INFORMATION IS COLLECTED
- Most information will be collected in association with an individual’s use of our products and services, an enquiry about MTBS or generally dealing with us. However, we may also receive data from other sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, recruitment agencies and our business partners. Information is likely to be collected as follows:
- Registrations/Subscriptions/Purchases. When individuals register, subscribe and or purchase a product, service, list, account, connection or other process whereby they enter data details or grant access to information in order to receive or access something, including a transaction or services;
- Accounts/Memberships. When an individual submits their details to open an account and/or become a member with us;
- Partners. When individuals grant us access to their accounts or allows information to be shared by our business partners.
- Supply/Contact. When individual supply us with goods or services. or contacts us in any way;
- Pixel Tags. Pixel tags and web beacons may enable us to send email messages in a format customer can read and they tell us whether mail has been opened.
- Shareholder Information. We collect information from each of our shareholders, such as the name, date of birth and address.
- As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of their data being collected, in particular by third parties.
- We may also collect anonymous non-data, which may be used and shared on an aggregated and anonymous basis.
HOW DATA IS STORED
- The data that we collect from you will be stored in the European Economic Area (EEA), but may be transferred to, and stored at, a destination outside the EEA, with and by third parties.
- Data may also be processed by third parties and/or staff operating outside the EEA who work for us or for one of our third-party partners. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.
- We will retain data for the period necessary to fulfil the purposes outlined in this policy unless a longer retention period is required or permitted by law.
WHEN DATA IS USED
- In general, we will only use any data for the purpose for which it was collected, except with your permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
- Information is used to enable us to operate our business, especially as it relates to you. This may include:
- the provision of MTBS Current Accounts and related services to you;
- verifying your identity;
- communicating with you about:
- your relationship with us;
- our services;
- our marketing and promotions to customers and prospects; and/or
- competitions, surveys and questionnaires;
- marketing and promotions to customers and prospects;
- investigating any complaints about or made by you, or if we have reason to suspect that you are in breach of any of our terms and conditions or that you are or have been otherwise engaged in any unlawful activity;
- carrying out regulatory checks and meeting our obligations to our regulators;
- preventing and detecting fraud, money laundering and other crime (such as identity theft);
- preparing high-level anonymised statistical reports, which would contain details such as the average number of company directors being authorised signatories to a company’s accounts. The information in these reports is never personal and you will never be identifiable from them. We may share these statistical and anonymised reports with third parties including non-MTBS companies; and/or
- as required or permitted by any law.
- If you publicly post about MTBS, or communicate directly with us, on a social media website, we may collect and process the data contained in such posts or in your public profile for addressing any customer services requests you may have and to monitor and influence public opinion of MTBS.
WHEN DATA IS DISCLOSED
- Upon your authorisation and instruction, to your advisers (such as accountants, lawyers, financial or other professional advisers).
- It may be necessary for us to disclose your data to third parties in a manner compliant with the Regulation in the course of our business, such as for processing activities like verification, due diligence, website hosting, data analytics, payment processing and when opening an account with MTBS through one of our trusted partners (such as your accountant).
- We will not disclose or sell your data to unrelated third parties under any circumstances unless we employ other companies to perform tasks on our behalf and we need to share your information with them to provide products and services to you.
- There are some circumstances in which we must disclose your information:
- where we reasonably believe that you may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of;
- as required by any law including court orders;
- as required by UK and overseas regulators and authorities in connection with their duties, including the regulator or authority having access payment details (including information about others involved in the payment);
- fraud prevention agencies we will always tell fraud prevention agencies if you give us false or fraudulent information. They will also allow other organisations (in the UK or abroad), including law enforcement agencies to access this information to prevent and detect fraud, money laundering or other crimes; and/or
- to sell our business (as we may transfer data to a new owner).
- If the Company becomes involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of the business to another company, we may share information with that company before and after the transaction closes.
THIRD PARTY SERVICES, WEBSITES AND ACCOUNTS
- We may share your information with third-party service providers in connection with the provision of MTBS and related services to you, and otherwise operating our business, marketing and promoting our products and services. We may link your account with a third party to our services to enable certain functionality, which allows us to obtain information from those accounts.
- If you sign-up to MTBS through one of our trusted partners (such as your Money Transfer Company) we may share information (such as your transaction data) in line with this service.
- For example, we may share your information as follows:
- authentication of identity, passport and driver’s license (such as AU10TIX, Onfido, LexisNexis);
- all information may be processed and stored with cloud service providers (such as Amazon Web Services);
- information may be required to communicate with you (such as Gmail from Google, Inc);
- to assist marketing and promotions to other customers and prospects on social media (such as Facebook or via post – please see the “Direct Mail Marketing” section below);
- in relation to the provision of a cross-border payment solution (such as our partnership with Saxo Payments).
- When you click on links to third-party websites, we may link your account with a third party to our services to enable certain functionality, which allows us to obtain information from those accounts.
- When linking your account with third parties, you must read the privacy policies of such providers, so that you can understand the manner in which they will handle your personal information. The information we may obtain from those services often depends on their privacy policies or account settings.
- These service providers may be located or have facilities that are located a different jurisdiction (including outside the EEA), in which case your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.
DIRECT MAIL MARKETING
- We may collect your name and address from publicly available sources such as Companies House and use this personal data to send you information about our services via post. Our lawful basis for processing this personal data is the legitimate interest of growing our business.
- You can opt out of receiving information from us via post at any time by following the instructions on the relevant correspondence or by contacting us using the contact details set out below. If you opt out, your request to opt out will override our legitimate interest in growing our business and we shall cease sending you information on our services via post.
CONSENT TO COLLECTION OF DATA
- You may opt to not have us collect your data and communicate with you at certain times. This may prevent us from offering you some or all our services and may terminate your access to MTBS, or other services you access with or through us.
- Opt In. Where relevant, you will have the right to choose to have your information collected and/or receive information from us; or
- Opt Out. Where relevant, you will have the right to choose to be excluded from some, if not all, information collection, and/or the receiving of that information from us. You may revoke your consent at any time, and the decision to opt out should be made through the same media by which you opted in.
- If you believe that you have received information from us that you did not opt in to receive, you should contact us on the details provided at the bottom of this page.
THE SAFETY & SECURITY OF DATA
- We will take all reasonable precautions to protect your data from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
- Examples of such precautions include:
- Data encryption
- Intrusion detection systems
- Physical protection of premises where data is stored (24/7)
- Background checks for all employees accessing our physical facilities
- The security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. When you provide information to us via the internet or by post, you do so at your own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, data, where the security of information is not within our control.
- Privacy or security practices of any third party (including third parties that we are permitted to disclose your data to in accordance with this policy or any applicable laws) may be subject to separate privacy and security policies than that of MTBS’s.
- If you suspect any misuse or loss of, or unauthorised access to, your data, you should let us know immediately.
- We are not liable for any loss, damage or claim arising out of another person’s use of the data where we were authorised to provide that person with the data.
HOW TO ACCESS AND/OR UPDATE INFORMATION
- Current regulation gives you the right to request from us the data that we have about you.
- If you cannot update your own information, we will correct any errors in the data we hold on you within one month of receiving written notice from you about these errors.
- It is your responsibility to provide us with accurate and truthful data. We cannot be liable for any information that is provided to us that is incorrect.
- We may charge you a reasonable fee for our costs incurred in meeting any of your requests to disclose the data we hold on you, if such a request is manifestly unfounded or excessive. We reserve the right to clarify the specific information your request relates to.
- Information will be provided within one month of receipt of the request.
- You have the right to request that information held on you by MTBS is erased, where there are no additional legal and/or regulatory requirements for MTBS doing so.
COMPLAINTS AND DISPUTES
- You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing; and
- processing for purposes of scientific/historical research and statistics
- unless we hold compelling legitimate grounds for processing or the processing is for the establishment, exercise or defence of legal claims.
- After 25th May 2018, you will be able to adjust your contact preferences at any time in the ‘More’ section of the MTBS app.
- You can choose how you would like to receive marketing and other non-business critical communications.
- Any changes made to these contact preferences can take up to 72 hours to come into effect.
- If you have a complaint about our handling of your data, you should address this complaint in writing to the details provided at the bottom of this page.
- You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes the General Data Protection Regulation.
- If you lodge a dispute regarding your data, we both must first attempt to resolve the issue directly between us.
- If we become aware of any unauthorised access to your data which is likely to result in a high risk for the rights and freedoms of the data subjects, we will inform you without undue delay after becoming aware of it, once we have established what was accessed and how it was accessed.
ADDITIONS TO THIS POLICY
- We reserve the right to modify this policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.
- If we decide to change this policy, we will post the changes on our website at https://www.mtbs.co/privacy-policy It is your responsibility to refer to this policy to review any amendments.
- All correspondence relating to privacy should be addressed to (by email where possible): [email protected]
The Data Controller, WeWork, Aldgate Tower, 2 Leman Street, London, E1 8FA
- PROVISION OF PAYMENT SERVICESPrepaid Financial Services Limited (PFS) provides technology, expertise and regulatory authority appropriate for the operation of payment services and e-money accounts on MTBS’s behalf.
WHO IS PFS AND HOW DO THEY PROTECT MY PERSONAL DATA?
- PFS is a company registered in England and Wales (Company number 06337638) and a registered office at Fifth Floor, Langham House, 302-308 Regent Street, London, W1B 3AT, United Kingdom. You can email PFS at [email protected]repaidfinancialservices.comor you can call PFS on +44 (0) 207 125 0321.
- PPFS is the Data Controller in relation to your Card and all necessary activities relating to the operation of the Card: allowing you to receive, activate and use your Card (activating, managing and using your online account where applicable, making and receiving payment transactions, meeting legal requirements, answering requests, providing information to you).PFS’s
It is important that you know exactly what PFS do with the personal information you and others make available to us and them, why it is collected and what it means for you. This document outlines the PFS approach to Data Privacy to fulfil their obligations under the EU General Data Protection Regulation (GDPR) 2018, as implemented on the 25th of May 2018. The advent of GDPR provided PFS with a further opportunity to reassure PFS customers of the importance placed on keeping your personal data secure, and of the strict guidelines PFS apply to its use.
THE PERSONAL DATA PFS WOULD LIKE TO COLLECT FROM YOU IS:
- First Name and Surname (with title);
- Date of birth;
- Proof of address documents;
- ID Documents;
- Other personal information such as telephone recordings; security questions, user ID;
- Bank Account details;
- Telephone number;
- Transactional information; and
- CCTV footage where you visit PFS offices.
THE PERSONAL DATA PFS COLLECT WILL BE USED FOR THE FOLLOWING PURPOSES:
- Providing prepaid card services to you as per PFS contractual obligations;
- Providing e-wallet services to you;
- Providing IBAN Account services to you;
- Processing your account information;
- To comply with PFS legal obligations for the prevention of fraud, money laundering, counter terrorist financing or misuse of services;
- Verifying y identity;
- Contacting you regarding PFS service to you; and
- Where requested by law enforcement for investigation of crime.
PFS LEGAL BASIS FOR PROCESSING THE PERSONAL DATA:
- receipt of your consent;
- performance of a contract where you are a party;
- legal obligations that PFS is required to meet; and
- national law.
- Any legitimate interests pursued by PFS, or third parties PFS use, are as follows:
- the prevention of fraud, money laundering, counter terrorist financing or misuse of services.
- By consenting to this privacy notice you are giving PFS permission to process your personal data specifically for the purposes identified above. Consent is required for PFS to process personal data, but it must be explicitly given. Where PFS are asking you for sensitive personal data, PFS will always tell you why and how the information will be used.
CONSENT FOR CHILDREN UNDER 16
- If you are giving consent on behalf of a child under sixteen (16) years of age then please be aware that Children need specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned, and also of their rights in relation to the processing of personal data for the purposes of using these services. By consenting to this privacy notice, on behalf of a minor, you are giving permission for their data to be used for the purposes described above.
WITHDRAWAL OF CONSENT CONDITIONS
- You may withdraw consent from direct marketing at any time by contacting PFS Data Protection Officer. Please note, where you have consented to your data being used for carrying out financial transactions, then the right to withdraw consent does not exist. As a payment service provider, PFS are obliged to retain data concerning financial transactions for 6 years in accordance with national law for the purpose of preventing, detecting and investigating, possible money laundering or terrorist financing.
INTERNATIONAL DATA TRANSFERS & THIRD-PARTY DISCLOSURES
- In limited situations where PFS stores or transfers personal information outside the EEA or the EU, robust procedures and safeguarding measures apply to secure, encrypt and maintain the integrity of the data. PFS will complete continual reviews of the countries with sufficient adequacy decisions, such as the Privacy Shield in the US, and provisions for binding corporate rules, standard data protection clauses or approved codes of conduct. PFS will further perform due diligence checks with all recipients of personal data to assess and verify that they have appropriate safeguards in place to protect the information. PFS undertakes that it shall not transfer Personal Data outside of the EEA or the EU in full compliance with Article 46 of the GDPR, and shall not transfer data outside of the EEA or EU unless the following conditions are fulfilled:
- The data subject has enforceable rights and effective legal remedies;
- PFS shall comply with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred (or, if it is not so bound, uses its best endeavours to assist the Customer in meeting its obligations);
- PFS complies with any reasonable instructions notified to it in advance with respect to the processing of the Personal Data; and
- Upon written direction shall delete or return Personal Data (and any copies of it) unless PFS is required by Law to retain the Personal Data.
Where PFS is required to transfer Personal Data to the United States of America, PFS shall only send such Personal Data to third-party sub-contractors that meet the minimum requirements contained under the Privacy Shield, or in the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament.
In the event that the Privacy Shield is repealed at any future date, for whatever reason, PFS shall only contract with third-party sub-contractors that satisfy the requirements contained in the standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Customer.
- PFS will process personal data for the duration of the contract for services and will store the personal data for six (6) years after that date of termination of the contract.
YOUR RIGHTS AS A DATA SUBJECT
- At any point while PFS are in possession of or processing your personal data, you, the data subject, have the following rights:
- Right of access – you have the right to request a copy of the information that PFS hold about you;
- Right of rectification – you have a right to correct data that PFS hold about you that is inaccurate or incomplete;
- Right to be forgotten – in certain circumstances you can ask for the data PFS hold about you to be erased from PFS records. Your data relating to financial transactions, accounts or cards cannot be deleted due to national law associated with the prevention of fraud, money laundering, counter terrorist financing or misuse of services for crime;
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing;
- Right of portability – you have the right to have the data PFS hold about you transferred to another organisation;
- Right to object – you have the right to object to certain types of processing such as direct marketing;
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling; and
- Right to judicial review, in the event that PFS refuses your request under rights of access, PFS will provide you with a reason as to why. You have the right to complain as outlined below.
All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data. You will find a copy of PFS Subject Access Request Form here: Choose your favourite Text editor:
- In the event that you wish to make a complaint about how your personal data is being processed by PFS (or third parties as above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and PFS’s Data Protection Officer by email to [email protected]